To perform an authorization check explicitly, you use the AUTHORITY-CHECK statement. In it, you specify the authorization object against which you want to check, along with the required values. The AUTHORITY-CHECK here performs a check against object /DMO/TRVL and requires the user to have an authorization containing the value US for field CNTRY and 03 for field ACTVT.
How to Check the Result of the Authorization Check
Unlike the filtered authorization checks that come with CDS access controls, the AUTHORITY-CHECK statement does not prevent users from seeing data for which they have no authorization.
AUTHORITY-CHECK places a return code in the system field sy-subrc. By checking the value of sy-subrc immediately after the authorization check, you can find out whether the check was successful or not.
If the authorization check was successful, sy-subrc has the value 0. Other values of sy-subrc mean that the check has failed:
- The value 4 means that the user has an authorization for the corresponding object, but not the right values.
- The value 12 means that the user does not have an authorization for the corresponding object at all.
If the authorization check fails, you must ensure yourself that the user cannot access the data.
In the example, the authorization check requires the user to have an authorization for country 'US'. Since that is not the case for our user, sy-subrc is unequal to zero after the authorization check. In this case, the app displays the text No authorization'.